=====================================================================================
OSSA-2019-006: Credentials API allows listing and retrieving of all users credentials
=====================================================================================

:Date: December 09, 2019
:CVE: CVE-2019-19687


Affects
~~~~~~~
- Keystone: ==15.0.0, ==16.0.0


Description
~~~~~~~~~~~
Daniel Preussker reported a vulnerability in Keystone's list
credentials API. Any user with a role on a project is able to list any
credentials with the /v3/credentials API when [oslo_policy]
enforce_scope is false. Users with a role on a project are able to
view any other users credentials, which could leak sign-on information
for Time-based One Time Passwords (TOTP) or othewise. Deployments
running keystone with [oslo_policy] enforce_scope set to false are
affected. There will be a slight performance impact for the list
credentials API once this issue is fixed.


Patches
~~~~~~~
- https://review.opendev.org/697731 (Stein)
- https://review.opendev.org/697611 (Train)
- https://review.opendev.org/697355 (Ussuri)


Credits
~~~~~~~
- Daniel Preussker (CVE-2019-19687)


References
~~~~~~~~~~
- https://bugs.launchpad.net/keystone/+bug/1855080
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19687